From Debian package 0.0.20080702-7

Allowed courier-pop and apache to access unconfined home directories.
(Dependent on daemon_access_unconfined_home boolean)
Superseded by RBAC, but much of it retained in 0.0.20090621-1

From 0.0.20090621-1:
Remove courier hunk
Remove unconfined_write_home_content_files interface
Add unconfined_read_home_content_files interface

Index: policy/modules/services/apache.te
===================================================================
--- policy/modules/services/apache.te.orig
+++ policy/modules/services/apache.te
@@ -469,6 +469,14 @@
 tunable_policy(`httpd_enable_homedirs',`
 	userdom_read_user_home_content_files(httpd_t)
 ')
+optional_policy(`
+	gen_require(`
+		bool daemon_access_unconfined_home;
+	')
+	tunable_policy(`httpd_enable_homedirs && daemon_access_unconfined_home', `
+			unconfined_read_home_content_files(httpd_t)
+	')
+')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_files(httpd_t)
@@ -744,6 +752,14 @@
 	corenet_tcp_connect_all_ports(httpd_suexec_t)
 	corenet_sendrecv_all_client_packets(httpd_suexec_t)
 ')
+optional_policy(`
+	gen_require(`
+		bool daemon_access_unconfined_home;
+	')
+	tunable_policy(`httpd_enable_homedirs && daemon_access_unconfined_home', `
+			unconfined_read_home_content_files(httpd_suexec_t)
+	')
+')
 
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	allow httpd_sys_script_t httpdcontent:file entrypoint;
@@ -829,6 +845,14 @@
 tunable_policy(`httpd_enable_homedirs',`
 	userdom_read_user_home_content_files(httpd_sys_script_t)
 ')
+optional_policy(`
+	gen_require(`
+		bool daemon_access_unconfined_home;
+	')
+	tunable_policy(`httpd_enable_homedirs && daemon_access_unconfined_home', `
+			unconfined_read_home_content_files(httpd_sys_script_t)
+	')
+')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_files(httpd_sys_script_t)
Index: policy/modules/system/unconfined.if
===================================================================
--- policy/modules/system/unconfined.if.orig
+++ policy/modules/system/unconfined.if
@@ -587,3 +587,24 @@
 
 	allow $1 unconfined_t:dbus acquire_svc;
 ')
+
+########################################
+## <summary>
+##     Read files in unconfined users home directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`unconfined_read_home_content_files',`
+	gen_require(`
+	type unconfined_home_dir_t, unconfined_home_t;
+	')
+
+	files_search_home($1)
+	allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
+	read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
+	read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
+')
Index: policy/modules/system/unconfined.te
===================================================================
--- policy/modules/system/unconfined.te.orig
+++ policy/modules/system/unconfined.te
@@ -21,6 +21,15 @@
 init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
 role unconfined_r types unconfined_execmem_t;
 
+## <desc>
+## <p>
+## Enabling this allows some daemons to access unconfined_home_dir_t and
+## unconfined_home_t as if they were regular home directories.  This does
+## reduce the protection...
+## </p>
+## </desc>
+gen_bool(daemon_access_unconfined_home,true)
+
 ########################################
 #
 # Local policy